In recent years, in order to reduce costs, there has also been an increasing shift of patients from the in-patient to the out-patient sector. However, this can lead to a considerable reduction in costs only if the medical data obtained can be transmitted efficiently and in real time to the appropriate medical establishment for analysis and evaluation purposes. This also takes place increasingly with the aid of communication networks.
In this context, however, a large number of difficulties and sources of risk arise which are of high importance due to the high level of security that is necessary when treating patients and operating medical devices. By using communication networks in this sector, there is thus also a new type of risk to the patients and to the operators of medical devices. It is possible that the medical device will be violated by an influence coming from the communication network, in such a way that this may lead to a risk to the treated patient or to a malfunction of the medical device. Such an influence which may lead to a possible risk to the medical device will hereinafter be referred to as an attack on the medical device. Such an attack may for example be caused by software which deliberately attempts to exploit gaps in security to gain access to or falsify any confidential data of the computer system contained in the medical device, which may be used for criminal purposes. Such software will hereinafter be referred to as malware. Since malware corrupts the target parts of the functionality of a computer system in order to find or falsify the data, it must be assumed that there is a particularly high risk to the patient or to the correct functioning of the medical device if said computer system is attacked by malware.
In order to be able to ensure the data security and confidentiality of the data contained in the network, usually parts of the communication network with a different security level are assumed when designing communication networks. At the points of separation between these areas, usually security mechanisms such as firewalls for example are installed. However, the focus of such protection by the aforementioned security mechanisms lies in the protection of data security and confidentially, which is of particular interest commerciality, and is not adapted or is adapted only incompletely to the requirements stemming from medical devices.
It is even possible for there to be an attack on a medical device by other communication partners, i.e. usually medical devices within the part of a communication network that is regarded as secure, even though the individual communication partners are operating without faults and have a communication behaviour regarded as cooperative but which may expand when summed and in certain situations may lead to a malfunction. This is comparable to a traffic jam on a motorway, which arises spontaneously and without a perceptible external cause when the vehicle density reaches a certain level. Alternatively, there may be an attack on a medical device by other medical devices within the part of the communication network that is regarded as secure if the communication protocols of two classes of medical devices lead to possible misinterpretations or if the other medical device is overloaded by the communication of the medical devices.
The potential risk becomes particularly high when all-round software components, such as customary operating systems for example, are used to set up the medical device, which all-round software components have been developed for a number of possible applications, have a high inherent complexity and therefore are particularly susceptible to the risk of an attack. The manufacturer of a medical device is in a dilemma here since, on the one hand, the software component used poses a potential risk but, on the other hand, a development of the medical devices without the use of such components is so complex that this results in a high potential risk to the patient or to the correct functioning of the medical device. What makes the use of such software components even more risky is the fact that malware is usually written specifically for such software components and therefore exploits gaps in security therein in a targeted manner. The malware can pass into the medical device either indirectly via a connection of the secure part of the communication network to an insecure part, or else directly via data carriers, or a combination of both pathways.